Barracuda Networks breached by automated SQL injection attack

Barracuda Networks is the latest security firm to be shamed by a successful attack against its assets.

Barracuda’s chief marketing officer Michael Perone has confirmed the breach in a post on the company blog, and explained how it all happened.

The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8) after close of business Pacific time.

Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters. After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market.

As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees. The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later. We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.

According to him, the compromised information was just names and email addresses, along with some one-way cryptographic hashes of salted passwords. No financial information has been compromised and all active passwords for applications in use are considered secure.

Considering that Barracuda is – among other things – a provider of perimeter security devices and the fact that the breach was the result of a misconfiguration of their own offering must sting a lot.